CAN-SPAM, CASL and GDPR – Why Knowing the Difference is Critical

With GDPR set to go into force next month, promising sweeping changes to Europe’s privacy laws, organizations are shifting their compliance efforts into top gear.

According to a recent PwC survey, more than half of US multinationals identify GDPR as a top priority -- with 77% planning to spend $1 million or more on compliance.

Many businesses, compliant with North American laws, including CASL in Canada and CAN-SPAM in the US, may feel they’re prepared. But as Microsoft President Brad Smith recently told the Financial Post, if you have customers or employees in the EU -- even if you know nothing about the EU -- GDPR matters to you.

There are critical differences companies need to understand -- or they could put themselves at risk. Here’s a comparison between CAN-SPAM, CASL and GDPR, and what the new rules could mean for your business.

Where privacy laws overlap

GDPR, CASL and CAN-SPAM share core provisions to deal with spam and malicious messages. That includes measures to...

Specify penalties for infraction including fines and private right of action (PRA)

The key differences: data processing and consent

Each privacy law differs, however, on scope and rigor.

CAN-SPAM for example, was groundbreaking when first passed in 2003. But its rules, focused on “King” email spammers, have since become antiquated. Mockingly called “You-Can-Spam”, the law has also been criticized as too lenient by many commentators.

In contrast, CASL, in force since 2014, is one of the toughest anti-spam laws in the world, according to Deloitte. Unlike CAN-SPAM, it uses tough “opt-in” consent rules giving consumers far greater say over what messages they receive. It also addresses new electronic threats, such as malware and spyware, not accounted for in CAN-SPAM.

Set to go into effect on May 25, 2018, GDPR represents the next step up. The regulation is intended to extend a “single set of rules” across the EU and tackle privacy challenges highlighted by the Equifax hack and Cambridge Analytica scandal.

Under GDPR, consent for sending messages must be “freely given, specific, informed and unambiguous.” And similar consent rules apply to how you “process” personal data. (In Canada, data privacy is governed by a separate piece of legislation, PIPEDA.)

GDPR will apply to all companies handling the personal data of people in the EU, regardless of the company’s location.

Each time you gather consent from someone you will therefore need to do the following:

Obtain consent just before you send an email

Obtain it again each time you want to contact a person for a different product or campaign

Include the identity of your company

Include clear, plain-language explanation of how you will use (i.e., “process”) their data

Include any further explanation of who you will share their data with

In addition, under GDPR, persons gain several rights with regards to their data, including the right to be made aware of their rights when their consent is gathered. These rights include:

The right to be withdraw consent

The right to be forgotten

The right to see and correct their personal data

The right to object to processing

In summary, when doing business in the EU or with EU companies, it’s critical to keep the following in mind:

First, you must have explicit prior consent before sending any unsolicited direct marketing by email. Every email you send, from simple newsletters to drip campaigns, must comply with the law.

You’ll need to make sure persons can easily withdraw consent and have their data erased (i.e., exercise their “right to be forgotten”).

Finally, you’ll will also need rock-solid processes for documenting and verifying consent -- including archived evidence of consent such as emails, screen prints, call recordings and signed documents.

Exceptions to explicit consent

Given GDPR’s complexity, it can be really risky and time-consuming to rely on overt consent for data processing.Gathering explicit consent may seem a safe default option. But it may place you in a legal “catch 22”.

Thankfully, like CASL, GDPR provides a few reasonable exceptions that can serve as your first choice. For example, you can process a person’s data without explicit consent when it is…

In compliance with a legal obligation

in the person’s vital interest

a legitimate interest of your own

or what’s known as a “public task”.

The bottom line

With GDPR going into effect next month, businesses in North America need to get informed -- whether they’ve got employees in the EU, plan to market to EU consumers or handle personal information collected in the EU.

If you want to know more about GDPR, our UK team have put together a GDPR Information Hub packed with essential resources to help you quickly learn the law and turn it into a profitable opportunity.

Start Your 30-Day Trial Right Away

No Restrictions. No Credit Card Required. Nothing to Install

First Name

Last Name

Company Name

Work Email

Phone Number

Country

This site uses Cookies to provide you with the best possible visitor experience. Please read our Cookie Policy and Privacy Policy for further information. By continuing to use this website you consent to our use of cookies.AcceptDecline